RealTime IT News

Blog Archives

Pidgin 2.7.9 updates for security and smileys ?!

By Sean Kerner   |    December 29, 2010

pidgingif.gif
From the ' :-) ' files:

The open source pidgin instant messenger client, is out with a new update fixing at least one security issue as well as an interesting emoticon/smiley issue.

Pidgin 2.7.9 has a security fix for what the changelog refers to as, "a crash when receiving short packets related to P2Pv2. (CVE ID pending)."

Aside from that there is a quirky bug fix, for an issue that I personally have never experience in all my years of using pidgin.

"When a conversation has reached the maximum limit on the number of
smileys, display the text representation of the smiley properly when it
contains HTML-escapable characters (e.g. "<3" was previously
displayed as "&lt;3")," the changelog states.

That's right, apparently there is a maximum number of smileys that you can have in an IM window -- Who knew?

Not me :)

But it is good to know that if for whatever reason you feel the insatiable need to totally saturate an IM window with a hundred smileys -- you can.

Mozilla loses Firefox addons user reg data - Is there a risk to you?

By Sean Kerner   |    December 28, 2010

sr-firefox3.jpg
From the 'Nothing to See Here, Move Along' files:

As a regular user of the open source Mozilla Firefox addons.mozilla.org site for browser extensions, I was somewhat alarmed to see a report that user password and registration information may have been publicly leaked.

As it turns out, the risk is minimal, but it could have worse -- a lot worse.

Chris Lyon, director of infrastructure security at Mozilla blogged that a database containing 44,000 addons.mozilla.org user accounts was mistakenly left on a public server. Apparently the users accounts were all inactive according to Lyon and were using md-5 based password hashes.

 "We erased all the md5-passwords, rendering the
accounts disabled," Lyon wrote. "All current addons.mozilla.org accounts use a more
secure SHA-512 password hash with per-user salts."

Lyon goes on to note that currently active addons.mozilla.org users (like me) are not at risk (phew!).

Pligg 1.1.3 updates open source digg clone for Karma

By Sean Kerner   |    December 27, 2010

pligg_small.gif

From the '+1' files:

The open source Pligg project has been around now for five years and is celebrating with a new release.

The Pligg 1.1.3 release provides security and bug fixes as well as a new Karma-based voting method to complement the existing digg and reddit styles of voting.

I like to think of Pligg as an open source clone of Digg - a system where users submit and vote on articles. The reality is that with the new 1.1.3 release, Pligg is so much more than what Digg offers to users, and the best part is that Pligg is open source.

"While
the front end of this new Karma method will be identical to the Digg
method and display the number of votes cast for the story, the back end
will be calculating a karma score for the article," the Pligg 1.1.3 release notes state. "That karma score is
calculated by adding up all of the karma scores from users who have
voted on the article. The site will then publish stories that have
reached a certain karma score."

Oracle extends open source VirtualBox 4.0

By Sean Kerner   |    December 22, 2010

oracle.jpg
From the 'Hypervisor that Rocks' files:

Among the many technologies that Oracle acquired from Sun is the VirtualBox virtualization technology. This week Oracle officially release VirtualBox 4.0, improving performance, usability and scalability.

And guess what? The core product remains licensed under the GPLv2  - but wait there is a catch.

Starting with this new VirtualBox 4.0 release, Oracle has reorganized the project so there is a base release and then there are Extension Packs, that extend VirtualBox and aren't necessarily open source either.

For the VirtualBox 4.0 release Oracle there is now one extension pack which includes three new pieces of functionality, a virtual USB 2.0 (EHCI) device,VirtualBox Remote Desktop Protocol (VRDP) support and Intel PXE boot ROM with support for the E1000 network card.

Apache updates Subversion (svn) to 1.5.9 - Will you Git it?

By Sean Kerner   |    December 22, 2010

subversion-svn.jpg
From the 'Git with the program' files:

The Apache Subversion (SVN) project is out with svn 1.5.9 providing some bug fixes for the open source code version control system.

"This release
is intended for users who are still running the 1.5 release line, and
contains a number of stability and performance fixes to previous 1.5.x
releases," Apache Subversion developer Hyrum Wright wrote in a mailing list posting."This release does *not* contain all the bug fixes and
features which are found in the most current release of Subversion,
1.6.15."

The bigger question for me though is - who isn't now thinking about moving to Git?

For better or for worse, I have seen a continuous stream of open source projects move to Git over the course of the last year. Big efforts like the Eclipse Foundation are using it as well as smaller projects too. The prevailing theme that I hear time and again from Git users is that it fosters a more collaborative approach for community development.

Oracle updates Java, but not for security

By Sean Kerner   |    December 17, 2010

javasmall.jpg
From the 'If A Tree Falls...' files:

Usually, updates of Java SE 6 include security fixes -- that's the normal course that I tend to expect. But that's not the case with the recent Java SE 6 update 23 (6u23) update.

"Java SE 6u23 does not contain any additional fixes for security
vulnerabilities to its previous release, Java SE 6u22," Oracle's release notes state. "Users who have
Java SE 6u22 have the latest security fixes and do not need to upgrade
to this release to be current on security fixes."

Huh. That's not usual is it?

That said, Java SE 6u23 does have performance and stability fixes - and from my perspective, with stability issues - sometimes there can be hidden memory error/crash exploitation issues that have to be reported, or discovered.

Apple, Oracle, EMC and Microsoft bought Novell's patents

By Sean Kerner   |    December 16, 2010

novell.jpg
From the 'Produktmarkte:Patente' files:

So who is behind CPTN Holdings -- the group that is acquiring 882 patents from Novell for $450 million??

Initially the only details about the patents that we knew was that Microsoft was involved and that Novell is NOT selling their Unix copyrights. Now thanks to the German Government and a report from

CPTN Holdings includes Microsoft, Apple, Oracle and EMC. We don't know the exact share breakdown at this point but we do what the primary product is that this group is offering.

The original german says it best: Produktmarkte:Patente

That's right, this group's product is patents.

The makeup of CPTN makes sense to me on a number of levels. The Open Invention Network (OIN) was supposed to be a clearing house for open source related patents, though it's debatable how effective that group actually is today.

OpenBSD backdoored by the FBI?

By Sean Kerner   |    December 15, 2010

Pufftron_openbsd.jpg
From the 'Welcome To The Grid Program' files:

The open source OpenBSD operating system may have been infected by a backdoor setup by the FBI.

That's the very public allegation that a former contributor to OpenBSD made in an email to OpenBSD founder Theo de Raadt.

The alleged backdoor is in the OpenBSD IPsec VPN stack, and might have been added to the code ten years ago -- so it's unclear if it's still present today.

"Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products," de Raadt wrote. "Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are."

FreeBSD 9.0 headed to the cloud as 8.2 nears release

By Sean Kerner   |    December 15, 2010

FreeBSD_small1.jpg
From the 'Daemons In The Sky' Files:

The open source FreeBSD operating system is headed to the Amazon cloud. Not the mainline FreeBSD 8.x release, but rather the next generation FreeBSD 9 release that is currently in development.

The movement of FreeBSD to Amazon stems from work done by FreeBSD developers, with some direction and guidance from Amazon.

"One of my largest complaints about Amazon
EC2
ever since it launched has been my inability to run FreeBSD on it," FreeBSD developer Colin Percival
blogged. "The problems keeping FreeBSD out of EC2 have
always been more FreeBSD-related than Amazon-related, however, and
over the past month I've been hacking away at FreeBSD's Xen code, to
the point where I can say something I've been waiting to say for a
long time:
FreeBSD now runs
on Amazon EC2
."

Wine advances ActiveX support for Linux and GTA4

By Sean Kerner   |    December 13, 2010

wine.png
From the 'Run Windows on Linux?!'

For those Linux users that need or want to run Windows applications in LInux, here is some good news for you.

Wine 1.3.9 is now out, providing new stability and compatibility options. At the top of the list of new features in Wine (WINE is not an emulator) is the beginning of new ActiveX support in the browser.

Moving beyond ActiveX are a long list of fixes for Windows games that will now work on Linux.

Sure, Wine can be used for productivity apps, but Linux has no shortage
of those on its own. Some could argue that Linux doesn't have a shortage
of games either, but there always seems to be a few that people really
want to run on Linux, but are only available for Windows.

Apache resigns from Java Community Process - What's next?

By Sean Kerner   |    December 09, 2010

javasmall.jpg
From the 'They Told Us So' files:

Apache today officially resigned from the Java Community Process (JCP), after weeks of threatening to do so.

Earlier this week, I spoke with Apache's Geir Magnusson about the recent approval of the Java 7 and 8 specs, which Apache voted against. At the time, Mangusson said a decision was coming soon about staying with the JCP - and here we are.

At issue is the license under which Oracle makes the TCK (Technology Compatibility Kit) for Java available. In Apache's view, Oracle requires implementers to negotiate for seperate licenses from Oracle for the TCK.

"The recent Java SE 7 vote was the last chance for the JCP Executive Committee (EC) to
demonstrate that the EC has any intent to defend the JCP as an open
specification process, and demonstrate that the letter and spirit of the
law matter," Apache wrote in a statement. "Oracle provided the EC with a Java SE 7 specification request and
license that are self-contradictory, severely restrict distribution of
independent implementations of the spec, and most importantly, prohibit
the distribution of independent open source implementations of the spec."

That's in line with what Apache has been saying for awhile and mirrors what Magnusson told me earlier this week.

Wikileaks DDOS powered by open source tools?

By Sean Kerner   |    December 09, 2010

loic-small.jpg
From the 'Don't Try This At Home' files:

According to SANS, one of the key tools being used as part of the Wikileaks driven DDOS attacks is something called JavaLOIC.

That tool is a port of the open source LOIC - Low Orbit Ion Canon - stress testing tool that is freely available in the Sourceforge open source project repository. No, the tool you can find on Sourceforge isn't the one specifically configured to help the DDOS against public sites.

What LOIC represents in its original open source state - is a legitimate tool for stress testing a web server. I've been using similar tools for years, including one called Siege , which I wrote about 6 years ago.

The core issue about LOIC and its use is all about control.

Google Crankshaft accelerates Chrome JavaScript

By Sean Kerner   |    December 08, 2010

googlechromologo.jpg
From the 'Super-charged V8' files:

One of the big tech features of Google's Chrome browser is the V8 JavaScript engine.

Now with a new overlay for V8 called. 'Crankshaft' Google is claiming a 50 percent performance boost for what was already a blazing fast engine.

"Crankshaft uses adaptive compilation to improve both start-up time and
peak performance," Google explained in a blog post. "The idea is to heavily optimize code that is
frequently executed and not waste time optimizing code that is not.
Because of this, benchmarks that finish in just a few milliseconds, such
as SunSpider, will show little improvement with Crankshaft. The more
work an application does, the bigger the gains will be."

That's cool.

Wordpress 3.0.3 updates open source tech AGAIN for security

By Sean Kerner   |    December 08, 2010

wordpresslogo.jpg
From the 'Update Now or be PWND' files:

It's seem like just yesterday, Wordpress updated its wildly popular open source blogging software (it was actually last week).

As it turns out, they missed one flaw in the 3.0.2 release and that's why 3.0.3 is now out.

With the 3.0.3 release, Wordpress is addressing an XML-RPC flaw that could potentially enable non-admin users (that's right just regular contributors) to edit or delete posts. Yes, that's series and yes that means, if you're running Wordpress today with remote publishing enabled, you need to update quickly to avoid this risk.

Kudos to Wordpress for moving so fast on this. Let's hope that self-hosted Wordpress users can move equally as fast.

Moving forward, Wordpress 3.1 is now in beta, and it could be out in general availability by the end of the year.

Linux vendors standardize on LSB 4.0 as 4.1 enters Beta

By Sean Kerner   |    December 07, 2010

tux.jpg
From the 'Fragment This' files:

In July of 2008, the Linux Foundation started the process for standardizing Linux with the Linux Standards Base 4.0 spec.

This week, after a couple years of official availability the Linux Foundation is set to formally announce that all of the leading commercial Linux vendors have now certified to LSB 4.0.

What took them so long?

Yes, I agree that LSB is an important tool to make sure that there is some degree of standardization across all Linux distributions. But the issue of packaging and broader dependencies is still a big one (for me) at least. The same RPM that I get for Fedora won't work on Ubuntu and  Ubuntu DEB  packages won't work on SUSE etc etc.

LibreOffice 3.3 hits RC1

By Sean Kerner   |    December 06, 2010

libreoffice.png
From the 'Six RCs Behind' files:

Ok then, LibreOffice, the OpenOffice.org fork, isn't vaporware.

The first release candidate for LibreOffice 3.3 is now available, showing off what this OpenOffice.org fork can do.

First of all, it's great that LibreOffice RC1 is out. There are so many efforts that get announced as 'forks' for various open source projects that falter not long after they are announced. Actually delivering on a roadmap and continuing beyond the initial announcement hype is an achievement in itself.It is clear to me that The Document Foundation is serious, dedicated and committed to it own path.

That said, from a user perspective, let's not forget the OpenOffice.org is now out with OOo 3.3 RC7.  Oracle is still pushing forward aggressively with OpenOffice and isn't about to let go either.

Which means that a regular user today has (at least) two OpenOffice-type releases to choose from for version 3.3 and that will inevitably lead to some confusion.

Is Oracle's version of 3.3 more mature since it's at RC7? Maybe.

Oracle's ZFS imported into open source GRUB

By Sean Kerner   |    December 03, 2010

gnu-head-sm.jpg
From the 'Thanks Oracle!' files:

GRUB is the bootloader of choice for many Linux distributions and it's now set to get new ZFS filesystem capabilities.

ZFS is being integrated into the mainline of GRUB, for a number of reasons -- not the least of which is the simple fact that the GPL enables the GRUB maintainers to do so - with or without Oracle's help.

"The ZFS code that has been imported into GRUB derives from the OpenSolaris version of GRUB Legacy," GRUB developer Robert Millan
wrote on a mailing list posting. "On one hand, this code was released to the public under the terms of the GNU GPL. On the other, binary releases of Solaris included this modified GRUB, and as a result Oracle/Sun is bound by the GPL."

That's right, OpenSolaris may be dead, but that doesn't mean that forks like Illumos or others that want to use ZFS in an open source distribution (and its bootloader) are out of luck.

I suspect that Oracle could exercise the same pressures they have on Hudson and OOo and claim an issue with the use of the name ZFS (if it's a trademarked/copyrighted term), but the tech is open source and the GNU GRUB project is going to leverage the license to use ZFS.

That's what open source is all about after all right? Software freedom.

Wordpress 3.0.2 updates for security, GPL

By Sean Kerner   |    December 01, 2010

wordpresslogo.jpg
From the 'Open Source Blogging' files:

Wordpress users: RUN don't walk to your terminal and update your Wordpress self-hosted blog NOW.

There is a new Wordpress 3.0.2 update now available that plugs a number of security issues -- though shockingly none of them have CVE numbers (yet).

Among the security fixes is one for a Cross Site Scripting (XSS) issue that could put users at risk when a plugin is deleted.

There is also a fix for what Wordpress descibes as,a "moderate security issue where a malicious Author-level user could gain further access to the site." That's right, your users could possible get admin access to your site unless you update to 3.0.2

Beyond security updates, there is also a really small update to the readme file, to clarify the license under which Wordpress is released.

"We cannot say that WordPress as a whole is GPLv2 (i.e. "GPLv2 only")," the Wordpress changelog states. "Go back to saying just GPL."